SSL Certs Seems To Fail

I just recently created a new app. Upon creating it, I added a custom domain, pointed the A and AAAA records to the IPs as directed, and successfully validated a wildcard SSL cert.

Oddly enough however, when attempting to curl to the site, I get the following error:

❯ curl -vvv -H "Host: MYDOMAIN" https://MYIP
*   Trying MYIP...
* Connected to MYIP (MYIP) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to MYIP:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to MYIP:443

Similarly, browsers refuse to connect to the domain to being “unable to make a secure connection”. I’ve redeployed a few times thinking that it might fix some state within the load balancer infrastructure, but nothing seems to be working. At a bit of a loss as to what might be wrong or what I may have misconfigured.

Edit
Seemingly related:

• Cert invalid for some users on a network level
• SSL termination error with custom domain (CNAME) and new certificate - #4 by amos
• Getting connection errors on IPv4 connections (IPv6 works) - #2 by jsierles

A Host header is not sufficient for us to determine the SNI (Server Name Indicator) to figure out which certificate to serve.

There are a few ways to test this without changing your DNS records to point to us:

• Add a /etc/hosts entry temporarily for the subdomain you want to test (e.g anything.your-hostname.com) pointing at the IP assigned to your account
• Use --resolve with curl, like:

curl -v https://anything.your-hostname.com --resolve anything.your-hostname.com:443:<your fly ip>

• Use openssl s_client:

openssl s_client -connect <your fly ip>:443 -servername anything.your-hostname.com

I have confirmed your wildcard certificate is being served properly.

Thanks Jerome - it turns out my error came from the fact that I mistakenly believed a wildcard cert alone ( Wildcard cert: *.mydomain.com ) would also be applied for the root domain, such that mydomain.com would be served under the auspices of that cert. Your message made me double check myself, and I created a separate cert for the root domain ( mydomain.com ), and now everything works as I’d expect.

Thanks for the response!